Skip to content

verify action id before parsing body#58977

Merged
ztanner merged 5 commits into
canaryfrom
11-27-verify_action_id_before_parsing_body
Nov 29, 2023
Merged

verify action id before parsing body#58977
ztanner merged 5 commits into
canaryfrom
11-27-verify_action_id_before_parsing_body

Conversation

@ztanner
Copy link
Copy Markdown
Member

@ztanner ztanner commented Nov 27, 2023
edited
Loading

What?

When handling a server action, in the non-progressive enhanced case, React will attempt to parse the request body before verifying if a valid server action is received. This results in an "Error: Connection Closed" error being thrown, rather than ignoring the action and failing more gracefully

Why?

To support progressive enhancement with form actions, the actionId value is added as a hidden input in the form, so the action ID from the header shouldn't be verified until determining that we've reached the non-PE case. (React ref). However, in #49187, support was added for a URL encoded form (which is not currently used, as indicated on the PR).

Despite it not being used for server actions, it's currently possible to trigger this codepath, ie by calling redirect in an action handler with a 307/308 status code with some data in the URL. This would result in a 500 error.

How?

React should not attempt to parse the URL encoded form data until after we've verified the server action header for the non-PE case.

x-ref NEXT-1733
Slack context

This was referenced Nov 27, 2023
Merged
Merged
@ztanner
Copy link
Copy Markdown
Member Author

ztanner commented Nov 27, 2023
edited
Loading

Current dependencies on/for this PR:

This stack of pull requests is managed by Graphite.

@ztanner ztanner mentioned this pull request Nov 27, 2023
Merged
@ijjk
Copy link
Copy Markdown
Member

ijjk commented Nov 27, 2023
edited
Loading

Failing test suites

Commit: f9f9bc6

pnpm test-dev test/e2e/app-dir/app-compilation/index.test.ts

  • app dir > HMR > should not cause error when removing loading.js
Expand output

● app dir › HMR › should not cause error when removing loading.js

TIMED OUT: hello from new page

hello from slow page

undefined

  626 |
  627 |   if (hardError) {
> 628 |     throw new Error('TIMED OUT: ' + regex + '\n\n' + content + '\n\n' + lastErr)
      |           ^
  629 |   }
  630 |   return false
  631 | }

  at check (lib/next-test-utils.ts:628:11)
  at Object.<anonymous> (e2e/app-dir/app-compilation/index.test.ts:44:11)

Read more about building and testing Next.js in contributing.md.

@ijjk
Copy link
Copy Markdown
Member

ijjk commented Nov 27, 2023
edited
Loading

Stats from current PR

Default Build (Increase detected ⚠️)
General Overall increase ⚠️
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
buildDuration 10.6s 10.5s N/A
buildDurationCached 6s 5.9s N/A
nodeModulesSize 199 MB 199 MB ⚠️ +37.4 kB
nextStartRea..uration (ms) 423ms 428ms N/A
Client Bundles (main, webpack)
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
199-HASH.js gzip 30.7 kB 30.7 kB N/A
3f784ff6-HASH.js gzip 53.3 kB 53.3 kB
494.HASH.js gzip 180 B 181 B N/A
framework-HASH.js gzip 45.2 kB 45.2 kB
main-app-HASH.js gzip 241 B 239 B N/A
main-HASH.js gzip 31.7 kB 31.7 kB N/A
webpack-HASH.js gzip 1.7 kB 1.7 kB
Overall change 100 kB 100 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
_app-HASH.js gzip 194 B 195 B N/A
_error-HASH.js gzip 182 B 181 B N/A
amp-HASH.js gzip 501 B 503 B N/A
css-HASH.js gzip 322 B 323 B N/A
dynamic-HASH.js gzip 2.5 kB 2.5 kB
edge-ssr-HASH.js gzip 253 B 255 B N/A
head-HASH.js gzip 348 B 347 B N/A
hooks-HASH.js gzip 369 B 368 B N/A
image-HASH.js gzip 4.27 kB 4.27 kB N/A
index-HASH.js gzip 256 B 256 B
link-HASH.js gzip 2.61 kB 2.6 kB N/A
routerDirect..HASH.js gzip 311 B 311 B
script-HASH.js gzip 384 B 383 B N/A
withRouter-HASH.js gzip 307 B 308 B N/A
1afbb74e6ecf..834.css gzip 106 B 106 B
Overall change 3.17 kB 3.17 kB
Client Build Manifests
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
_buildManifest.js gzip 484 B 483 B N/A
Overall change 0 B 0 B
Rendered Page Sizes
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
index.html gzip 528 B 526 B N/A
link.html gzip 539 B 539 B
withRouter.html gzip 524 B 521 B N/A
Overall change 539 B 539 B
Edge SSR bundle Size Overall increase ⚠️
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
edge-ssr.js gzip 92.6 kB 92.6 kB N/A
page.js gzip 145 kB 146 kB ⚠️ +134 B
Overall change 145 kB 146 kB ⚠️ +134 B
Middleware size
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
middleware-b..fest.js gzip 625 B 623 B N/A
middleware-r..fest.js gzip 150 B 151 B N/A
middleware.js gzip 35.7 kB 35.7 kB N/A
edge-runtime..pack.js gzip 1.92 kB 1.92 kB
Overall change 1.92 kB 1.92 kB
Next Runtimes
vercel/next.js canary vercel/next.js 11-27-verify_action_id_before_parsing_body Change
app-page-exp...dev.js gzip 168 kB 168 kB N/A
app-page-exp..prod.js gzip 93.6 kB 93.7 kB N/A
app-page-tur..prod.js gzip 94.4 kB 94.5 kB N/A
app-page-tur..prod.js gzip 88.9 kB 89 kB N/A
app-page.run...dev.js gzip 138 kB 138 kB N/A
app-page.run..prod.js gzip 88.3 kB 88.4 kB N/A
app-route-ex...dev.js gzip 24.2 kB 24.2 kB
app-route-ex..prod.js gzip 16.8 kB 16.8 kB
app-route-tu..prod.js gzip 16.9 kB 16.9 kB
app-route-tu..prod.js gzip 16.4 kB 16.4 kB
app-route.ru...dev.js gzip 23.6 kB 23.6 kB
app-route.ru..prod.js gzip 16.4 kB 16.4 kB
pages-api-tu..prod.js gzip 9.37 kB 9.37 kB
pages-api.ru...dev.js gzip 9.64 kB 9.64 kB
pages-api.ru..prod.js gzip 9.37 kB 9.37 kB
pages-turbo...prod.js gzip 21.9 kB 21.9 kB
pages.runtim...dev.js gzip 22.6 kB 22.6 kB
pages.runtim..prod.js gzip 21.9 kB 21.9 kB
server.runti..prod.js gzip 49.3 kB 49.3 kB
Overall change 258 kB 258 kB
Diff details
Diff for page.js

Diff too large to display

Diff for app-page-exp..ntime.dev.js 
failed to diff
Diff for app-page-exp..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page-tur..time.prod.js

Diff too large to display

Diff for app-page.runtime.dev.js

Diff too large to display

Diff for app-page.runtime.prod.js

Diff too large to display

Commit: 7f59dff

@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch 2 times, most recently from 3dc7e70 to 0a15a4c Compare November 27, 2023 18:31
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from 47128a8 to 83b5398 Compare November 27, 2023 18:45
@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch 4 times, most recently from 00ce649 to 158fb83 Compare November 27, 2023 20:19
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from d97b665 to d2d21c3 Compare November 27, 2023 22:56
@ztanner ztanner marked this pull request as ready for review November 27, 2023 23:00
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch 2 times, most recently from 1f711ea to 7ef3827 Compare November 28, 2023 15:14
@ztanner ztanner requested review from a team and ismaelrumzan and removed request for a team November 28, 2023 15:14
@ztanner ztanner requested a review from molebox November 28, 2023 15:14
@ztanner ztanner mentioned this pull request Nov 28, 2023
Merged
@ztanner ztanner force-pushed the 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers branch from 7ef3827 to 1d2ab51 Compare November 28, 2023 15:29
shuding
shuding previously approved these changes Nov 28, 2023
View reviewed changes
@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch from 158fb83 to cd6e616 Compare November 28, 2023 15:45
Base automatically changed from 11-24-update_status_codes_for_redirect_and_permanentRedirect_in_action_handlers to canary November 29, 2023 08:35
@kodiakhq kodiakhq Bot dismissed shuding’s stale review November 29, 2023 08:35

The base branch was changed.

@ztanner ztanner force-pushed the 11-27-verify_action_id_before_parsing_body branch from cd6e616 to b2112f9 Compare November 29, 2023 14:55
@ztanner ztanner enabled auto-merge (squash) November 29, 2023 19:50
@ztanner ztanner merged commit 8395059 into canary Nov 29, 2023
@ztanner ztanner deleted the 11-27-verify_action_id_before_parsing_body branch November 29, 2023 19:55
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Dec 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@shuding shuding shuding approved these changes

@timneutkens timneutkens Awaiting requested review from timneutkens

@ijjk ijjk Awaiting requested review from ijjk

@huozhi huozhi Awaiting requested review from huozhi

@feedthejim feedthejim Awaiting requested review from feedthejim

@wyattjoh wyattjoh Awaiting requested review from wyattjoh

@ismaelrumzan ismaelrumzan Awaiting requested review from ismaelrumzan ismaelrumzan was automatically assigned from vercel/devex

@molebox molebox Awaiting requested review from molebox molebox was automatically assigned from vercel/devex

Assignees

No one assigned

Labels

created-by: Next.js team PRs by the Next.js team. locked type: next

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ztanner @ijjk @shuding